{ "id": "b605da3a-0ef6-4bd0-921b-df7cb7ec317d", "created_at": "2026-04-06T00:21:41.423249Z", "updated_at": "2026-04-10T03:34:16.034376Z", "deleted_at": null, "sha1_hash": "13f98f5bfe0c0f7ac3fc1e812418c26ac166daa3", "title": "Dark Caracal - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39987, "plain_text": "Dark Caracal - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:25:04 UTC\r\nDescription(Lookout) Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a\r\npersistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging\r\nto the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes\r\nof exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual\r\nproperty and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC)\r\nassociated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across\r\nWindows, Mac, and Linux; and 60 domain/IP based IOCs.\r\nDark Caracal targets include individuals and entities that a nation state might typically attack, including\r\ngovernments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors.\r\nWe specifically uncovered data associated with military personnel, enterprises, medical professionals, activists,\r\njournalists, lawyers, and educational institutions during this investigation. Types of data include documents, call\r\nrecords, audio recordings, secure messaging client content, contact information, text messages, photos, and\r\naccount data.\r\nObservedSectors: Defense, Education, Financial, Government, Healthcare, Manufacturing, Media, Utilities and\r\nactivists, lawyers and journalists.\r\nCountries: China, France, Germany, India, Italy, Jordan, Lebanon, Nepal, Netherlands, Pakistan, Philippines,\r\nQatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, USA, Venezuela, Vietnam.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fc5237e5-874a-4892-af91-f50550dd9588\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=fc5237e5-874a-4892-af91-f50550dd9588\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=fc5237e5-874a-4892-af91-f50550dd9588" ], "report_names": [ "showcard.cgi?u=fc5237e5-874a-4892-af91-f50550dd9588" ], "threat_actors": [ { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434901, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13f98f5bfe0c0f7ac3fc1e812418c26ac166daa3.pdf", "text": "https://archive.orkl.eu/13f98f5bfe0c0f7ac3fc1e812418c26ac166daa3.txt", "img": "https://archive.orkl.eu/13f98f5bfe0c0f7ac3fc1e812418c26ac166daa3.jpg" } }